in the SDF locations window, a summary will appear
featuring the changes that will be deployed to the router, as
shown in Figure , The wizard includes information about the
interfaces and direction in which the IPS rules will be
applied, the SDF location, and whether built-in signatures are
enabled for backup use. Once you have reviewed the summary,
deploy the configuration by clicking the Finish button.
Verifying IPS Deployment
After the IPS commands that
the wizard generates are sent to the router, you are brought to
the Edit IPS tab. Figure shows the steps that you use to access
the Cisco SDM signatures form where you can verify your IPS
deployment. In the menu under the Edit IPS tab, you can verify
and modify the configured settings and view and tune the
available signatures. There are four sections in the Edit IPS
menu: - IPS policies
- Global settings
- Security Device Event Exchange (SDEE) messages
-
Signatures
Content 6.5
Configuring Cisco IOS IPS 6.5.7 Configuring IPS
Policies and Global Settings Figure shows the Cisco SDM
Edit IPS Policies tab with the IPS Policies feature selected.
Click IPS Policies in the menu part of the Edit IPS tab
to verify the assignment of IPS rules to the router interfaces.
In the example, the only enabled IPS rule is attached to the
Serial0/0/0 interface in the inbound direction. This
configuration matches the settings you previously submitted in
the IPS Policies wizard. This rule corresponds to the
Identifying Interfaces and Flow Direction step of the IPS
Policies wizard, in which the IPS rule was applied inbound to
the outside interface (Serial0/0/0). Global
Settings
Figure shows the Cisco SDM Edit IPS Policies
tab with the Global Settings feature selected. This tab is
where you view and modify IPS global settings using the SDM.
The global settings are the general IPS settings that are
configured on the router. These settings include reporting
settings using two protocols: syslog and SDEE. Note
SDEE is an application-level communications protocol that is
used to exchange IPS messages between IPS clients and IPS
servers. You do not need to configure the address of the SDEE
server. SDM uses SDEE to reference and extract the event logs
from the router. In this tab, you also see the status of the
fail-closed setting. SDM default is fail-closed disabled. If
enabled, the router drops all packets if the IPS engine is
unable to scan data. Finally, you can verify if the built-in
signatures have been enabled for backup purposes if the
configured SDF is unavailable or cannot be loaded. If you want
to modify any of these global settings, click the Edit
button in the upper-right corner of the window to perform the
desired changes. A configuration window opens in which you can
modify any parameters that you see in Figure .
Content
6.5 Configuring Cisco IOS IPS
6.5.8 Viewing SDEE Messages Figure shows the Cisco
SDM Edit IPS Policies tab with the SDEE Messages feature
selected and the list of SDEE message types displayed. The SDM
offers you the option to view the SDEE messages if you click
SDEE Messages in the middle part of the Edit IPS tab. By
default, all message types appear in the window. You can limit
the number of messages that appear by selecting the category
from the SDEE Messages drop-down list in the upper right
corner. Note
This SDEE Messages view does not work
in real time. If you want to display the current messages, you
need to click the Refresh button in the upper right
corner of the window. Viewing SDEE Status Messages
You can use the SDM to view the SDEE status messages. Figure
shows the Cisco SDM Edit IPS Policies tab with the SDEE
Messages feature selected and the SDEE Status message type
selected. Choose Status from the SDEE Messages drop-down
list to display the status events only. This view includes
reports about the status of all IPS engines. You can see the
compilation results for engines that contain some signatures
associated with it, along with their status. You can also see
which engines have not been built because there were no
signatures associated with the engines. You can identify such
engines by looking for the ENGINE_BUILD_SKIPPED: [engine
name] – there are no new signature definitions message. In
this example, the MULTI-STRING engine has not been built.
Viewing SDEE Alerts
You can use the SDM to view the
SDEE alerts. Figure shows the Cisco SDM Edit IPS Policies tab
with the SDEE Messages feature selected and the SDEE Alerts
message type selected. Choose Alerts from the SDEE
Messages drop-down list to view the alerts only. The alerts are
fired by the enabled signatures that you included in the loaded
SDF. The messages display all the details of a firing
signature, such as the target and attacker IP address, alarm
severity, signature ID and sub-ID, signature name, and more.
Note
Although you can view all the details about a
specific alert, this view is not intended to provide real-time
monitoring capabilities. The view does not have the filtering,
search, or correlation functions that are necessary for a
monitoring solution. In the example, you can see that a hacker
has been attempting to attack the Internet Information Server
(IIS) Unicode, IIS DOT DOT Execute, and the WWW Directory
Traversal against a protected system. The signatures 3215,
3216, and 5114 fired alarms with medium severity levels. If you
scroll down the tab, you can view the attacker and target IP
address and other information.
Content 6.5
Configuring Cisco IOS IPS 6.5.9 Tuning
Signatures You may want to make changes to your defined
signature. You can both edit a signature and disable a
signature group. Figure shows the Cisco SDM Edit IPS Policies
tab with the Signatures feature selected and the Edit
signatures button identified. To view the parameters of a
specific signature or tune the signature settings, click
Signatures in the middle part of the Edit IPS tab,
select the appropriate signature category from the list in the
middle of the window, and locate the desired signature in the
right part of the window. You can also use the search options
Select by and Criteria that are available at the top of the
window to find the signature easily. In the example, you want
to view and modify the settings of the signature named
Invalid DHCP Packet with number 4619 that is
listed under the Attack category. Select the signature
and click the Edit button to launch the Edit Signature
window. Editing a Signature
Figure shows the Edit
Signatures window that identifies how to edit various signature
parameters. When the Edit Signature window opens, you can view
the current signature settings. Select an option that you want
to modify by clicking the green square next to the option. The
green square turns red and you can select the desired settings
from the drop-down list associated with the respective
parameter. In the example, the alarm severity is increased from
the default value of medium to high. Click
OK to apply the change to the router. Disabling a
Signature Group
Figure shows the Cisco SDM Edit IPS
Policies tab with the Signatures feature selected and the steps
you use to disable a group of signatures. SDM allows you to
disable individual signatures or entire signature groups. In
the example, the Cisco IOS router protects a network that
contains only Windows hosts. To tune the active signatures to
better match this environment, disable all UNIX-related
signatures: Step 1 Select the UNIX sub-tree
under the OS signature category. Step 2 Click the
Select All button to select all signatures in the
selected category. Step 3 Click the Disable
button to disable all selected signatures on the IOS router.
Step 4 Click the Apply Changes button to deliver
the configuration to the device. Verifying the Tuned